nextcloud / password_policy

:lock: Let the admin define certain rules for passwords, e.g. a minimum length
GNU Affero General Public License v3.0
36 stars 19 forks source link

Account does not get blocked despite wrong password when using email address for login #528

Open LM-vb opened 3 years ago

LM-vb commented 3 years ago

How to use GitHub

Steps to reproduce

  1. Under Administration/Security/Password Policy: set "Number of login attempts before the user account is blocked" to e.g. 3.
  2. Logout and try to login as an exisiting user, using the user name (not the email address) and a wrong password. The user account gets blocked after above set number of tries.
  3. After re-enabling the account, try to login using the email address (not the user name) and a wrong password. The user account does not get blocked after above set number of tries

Expected behaviour

The account should get blocked, no matter if the user name or its email address is used.

Actual behaviour

The account does not get blocked if the email address is used.

Server configuration

Nextcloud version: 21.0.5

Updated from an older Nextcloud/ownCloud or fresh install: updated

LM-vb commented 3 years ago

After upgrading to 22.2.0: this bug is still present.

szaimen commented 1 year ago

Hi, please update to 24.0.9 or better 25.0.3 and report back if it fixes the issue. Thank you!

My goal is to add a label like e.g. 25-feedback to this ticket of an up-to-date major Nextcloud version where the bug could be reproduced. However this is not going to work without your help. So thanks for all your effort!

If you don't manage to reproduce the issue in time and the issue gets closed but you can reproduce the issue afterwards, feel free to create a new bug report with up-to-date information by following this link: https://github.com/nextcloud/server/issues/new?assignees=&labels=bug%2C0.+Needs+triage&template=BUG_REPORT.yml&title=%5BBug%5D%3A+

LM-vb commented 1 year ago

On 25.0.3: this bug is still present and not fixed.

LM-vb commented 9 months ago

NC 28.0.3: this bug is still present and not fixed.